General
-
Target
Ref671005018.xla.xlsx
-
Size
233KB
-
Sample
221026-qxyt6afher
-
MD5
4e2e5429ef978cde8873d5354606cf77
-
SHA1
39d1d9c8416380c967c7eda4de6ddc5cf2a5c8f4
-
SHA256
d86628ed9c58fadce80cac836d949eb6dac45d1671a76d77ed4d39fe5db93bd8
-
SHA512
ad4dd92ce0de2a61be9328c01d82500b1bfea67d320267560647d9fb70cd6b24444346b6296bfa8584a4a0a29875eecbf0f8185d8a4abd2c0d5933e4fafde9e6
-
SSDEEP
6144:yk3hOdsylKlgryzc4bNhZF+E+W2knA1ADM/NuNNFNNXNNuNNdNNPNNaNNbNNWNNb:GAcNuNNFNNXNNuNNdNNPNNaNNbNNWNNb
Behavioral task
behavioral1
Sample
Ref671005018.xla.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Ref671005018.xla.xls
Resource
win10v2004-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
37.139.128.94:6000
407839af-e81b-4512-9071-482887f971db
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-08-07T10:00:20.190590236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6000
-
default_group
client
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
407839af-e81b-4512-9071-482887f971db
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
37.139.128.94
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Ref671005018.xla.xlsx
-
Size
233KB
-
MD5
4e2e5429ef978cde8873d5354606cf77
-
SHA1
39d1d9c8416380c967c7eda4de6ddc5cf2a5c8f4
-
SHA256
d86628ed9c58fadce80cac836d949eb6dac45d1671a76d77ed4d39fe5db93bd8
-
SHA512
ad4dd92ce0de2a61be9328c01d82500b1bfea67d320267560647d9fb70cd6b24444346b6296bfa8584a4a0a29875eecbf0f8185d8a4abd2c0d5933e4fafde9e6
-
SSDEEP
6144:yk3hOdsylKlgryzc4bNhZF+E+W2knA1ADM/NuNNFNNXNNuNNdNNPNNaNNbNNWNNb:GAcNuNNFNNXNNuNNdNNPNNaNNbNNWNNb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-